Kris nailed these questions.
On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:
> Interesting !
> A few questions (and sorry for maybe the silly questions) :
>
> * In the gist, it's mentioned that the secret is stored in the Session Local, a secret is supposed to be reused, right ? But with session Local, the secret will be deleted after each session, did you maybe mean Local Storage ? Or does the secret is passed at each new session (which feels strange...) ?
>
>
> * If the secret is stored on the browser and can an user login on this webapp when using another device (has to register again) ?
>Sure! Everything in the world is dangerous, even 2 factor authentication (http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) and I'm aware of it. We already have a discussion with iOS team , because the secret is sent through the network. But QRCode scanners would be complex into iOS land, we decided to have working code and improve it later.
> * The secret is passed over the network the first time, isn't that dangerous ;) ?
How the secret will be provided is not a big deal to the initial release, my goals are:
- Generate the secret
- Generate valid OTPs
At the end of the day, developers will choose how they will provide the secret: images, captchas, voice recognition, piece of paper. We're just trying to provide examples about how to send it.
If you look at aerogear-otp-java there's no QRCode there and that's the idea, you choose.
>Looks really interesting Sebi, I didn't get a chance to test anything close to it. You can add features, comments and concerns here if you want https://github.com/aerogear/aerogear.org/pull/56
>
> * Option 4, with behind the scene flow, avoid the users to switch between an OTP and a login screen, right ? That seems a nice option
>
> * Is something like image based authentication maybe an option to investigate (identify the cat, the boat etc ...) http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm
>
>
> Sebi
Thanks for your review.
>> > aerogear-dev@lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
>
>
> On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew@apache.org (mailto:matzew@apache.org)> wrote:
> > Nice!!!
> >
> >
> > On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> > > Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to provide an OTP implementation for JavaScript.
> > >
> > > https://gist.github.com/abstractj/d618faceee388a9d403a
> > >
> > > Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would provide bad user experience.
> > >
> > > I'll start to file some Jiras to myself, if you have any addition, let me know.
> > >
> > >
> > > --
> > > "The measure of a man is what he does with power" - Plato
> > > -
> > > @abstractj
> > > -
> > > Volenti Nihil Difficile
> > >
> > >
> > >
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev@lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev@lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev